The immediate impact of Friday’s global technology failure is expected to be short-lived; however, longer term, it highlights the risk of third-party technology dependence — a threat that was already on financial regulators’ radar.
In a research note, Morningstar DBRS said that, while the effects of the global disruption to certain information technology (IT) systems have been widespread — with varied sectors such as airlines, financial services, broadcasters and retail all affected — it doesn’t expect to see a lasting impact on the companies it rates.
For instance, while the disruption to airline travel has been acute — with a large number of flights on Friday being cancelled and delayed, possibly spilling into the weekend — the issue isn’t expected to be prolonged.
“As a result, we expect the impact to the global airline industry to be manageable and not have a material impact on the credit profile of impacted airlines,” DBRS said.
Similarly, it said it doesn’t anticipate any ratings effects in the financial sector.
“The impact of the CrowdStrike IT fallout on banks appears to be limited with most banks appearing to be fully operational,” it said, adding that it was largely banks in Asia and Europe that were affected, given the timing of the issue.
“There have been some trading issues in Europe, but these issues appear to have had a limited impact,” it said. “Major stock markets in Europe and North America are operating normally, with just the London Stock Exchange’s news service down.”
In retail a number of companies suffered issues both in their physical stores and e-commerce channels, along with their supply chains.
“Some of these effects are expected to linger into next week depending on how long it takes to restore systems and resolve the disruptions that were created,” the report said. The episode highlights the benefits of “robust technology infrastructure and well-established contingency plans to support business continuity.”
Potential sales losses will likely be made up once retailers’ operations are restored, it noted, and it doesn’t expect ratings impacts in retail.
“Looking ahead, this incident may cause commercial users of outsourced cyber security software to invest in their internal IT capabilities or look to build more redundancies and protections into their systems,” the report said.
Additionally, the episode could “raise regulatory questions about the oligopolistic nature of critical IT infrastructure globally and could impact the critical software industry landscape over the long term,” DBRS said.
Fitch Ratings echoed that view, noting that policymakers such as the Financial Stability Board have “long warned that increasing reliance on third-party service providers for critical resources could lead to risks to financial stability if not properly managed, for instance, due to a cross-border glitch from a major IT service provider.”
While outsourcing can provide companies with flexibility, reduce their dependence on legacy systems and enable innovation, outsourcing exposes them to risks from IT suppliers, it noted.
“Financial institutions’ dependencies on third parties has grown in recent years as part of the ongoing digitalization of the sector. The economies of scale are compelling, but they can also bring systemic risks,” said Fitch in a research note.
“We expect authorities to press for global coordination and collaboration to subject critical service providers to some oversight,” Fitch said.
Earlier this month the Basel Committee on Banking Supervision launched a consultation on a proposed new set of standards to “address banks’ increasing reliance on third-party service providers due to the ongoing digitalization and rapid growth in financial technology.”
Those proposals are out for comment until Oct. 9.
And earlier this week, European financial regulators, including the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority, announced plans for a pan-European systemic cyber incident coordination framework to lead the financial sector’s response to these sorts of incidents.
In the months ahead, they plan to launch a secretariat to support the framework’s operations, a forum to work on testing, and a crisis coordination function.
The project stems from a recommendation from the European Systemic Risk Board, which identified a “shortfall in crisis management frameworks that could lead to a lack of financial sector coordination in the event of a significant cross-border” technology incident, the regulators said.